[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Openstack-security] [Bug 1654598] Related fix merged to manila-tempest-plugin (master)

Submitter: Zuul
Branch:    master

commit b5ed5dfaa5ed4989bdefc30abb00902a46052951
Author: Tom Barron <tpb at>
Date:   Sun Mar 1 21:27:26 2020 +0100

    Fix export location negative tests
    When running as a regular user, attempts to get share export
    locations for a share belonging to another user should be
    Share instance export locations are not available to regular
    users by virtue of default policy.
    Related-bug: #1654598
    Closes-bug: #1655427
    Change-Id: Iabe7fb68facd0ddffec738ab4e98d1de3a704ee4
    Signed-off-by: Goutham Pacha Ravi <gouthampravi at>

You received this bug notification because you are a member of OpenStack
Security SIG, which is subscribed to OpenStack.

  User can list other tenant's and admin's export locations

Status in Manila:
  Fix Released
Status in Manila ocata series:
  Won't Fix
Status in Manila pike series:
  In Progress
Status in Manila queens series:
  Fix Committed
Status in Manila rocky series:
  Fix Committed
Status in Manila stein series:
  Fix Released
Status in Manila train series:
  Fix Released
Status in Manila ussuri series:
  Fix Released

Bug description:
  Currently, the share export locations API is allowing any tenant to
  obtain export locations of any tenant's share.

  See the below URL:

  64350ec996cb4d91bfaa728fd7199313: this is a non-admin tenant ID

  e93eb079-58fb-4758-9d95-a9a645b0250a: this is an admin's share ID

  This is because the API layer of the share export locations controller
  is going directly to the database to obtain the export locations of
  the supplied share ID.

  The ownership check is performed at the Share/API layer, which is not
  invoked in this workflow.

  Most surprisingly of all, the tempest tests:

  - test_export_locations.ExportLocationsTest.test_list_share_export_locations_by_member
  - test_export_locations.ExportLocationsTest.test_get_share_export_location_by_member

  ... should not be passing at all (and should be negative tests), as
  they are testing if a non-admin tenant is able to obtain and list
  export locations of a share created by the admin_client used by

  Affected releases:
  - Liberty
  - Mitaka
  - Newton
  - Ocata

To manage notifications about this bug go to: